IPSec DMVPN Help

albatrow

Hi everybody. We want to use IPSec DMVPN topology. We use OSPF protocol and we wonder how many Spoke routers can we add to the system ? Is ıt 250, 300 or 1000 ? Actually we want to use this topology over 2 dual Hub and more than 900 Spokes. Which routing protocol do you suggest? For adding LAN side and tunnel interfaces we will use OSPF. For WAN side it will be static route. Do you suggest BGP? Also, we will use different company devices so it is really complicated. Thank you so much. I am waiting for your help.

Also, we want to use 3G back up links between routers over another tunnel interfaces.

shodown

Hmm

Is there a reason for choosing DMVPN?

What is your current Wan transport?

How many sites?

RouteMyPacket

First off, let us know the router models you have chosen for the Hubs as that will determine scalability. Typically the 3900's are good but the new 4400's are where it's at now, look into iWAN as well with these 4400's. I dare say you might be looking at going with an ASR because of the number of spokes you have

http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html

OSPF over the tunnels is no problem as well as leveraging 3g as a failover

Kelkin

Actually with that many spokes.. I dont think I would go with OSPF.. Best practices with OSPF is limiting to 50 routers in an area.. and how Dynamic DMVPN can be it could generate alot of LSA traffic when links flap... Per Cisco the preferred routing protocol for DMVPN is EIGRP..

Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1) - DMVPN Design and Implementation [Design Zone for IPv6] - Cisco

But again my working with DMVPN is limited.. only used it for a handful of sites..

gorebrush

Yeah OSPF is going to be a problem over that many links. A topology change could be lethal.

EIGRP is the recommended solution, for sure, but if you *already* have OSPF - then redesigning a big network could be a problem...

albatrow

The WAN transport is over metro ethernet.
The firm wants to use that DMVPN system actually, it will be made ultimately.
The manager thinks to choose Cisco 2921 series router with VPN ISM for Hub and Cisco 1921 for Spokes. We also think to choose Cisco 2951 or 3900 series router for Hub. System has not started to be established yet, we are designing the topology now.
Thank you so much for your answers. I will tell you the final decision.

powmia

EIGRP or BGP are the most scalable.

If you prefer OSPF, the 50 router limit is 100% absolutely completely bogus. That is a design recommendation from 15 years ago and was purely based on existing router mem and cpu... You can push OSPF almost as far as EIGRP if you use point-to-multipoint, and set it up as a mesh-group (database-filter all out) with only defaults sent to the spokes. The decision at that point, is what phase you require for your DMVPN. If you want spoke-to-spoke traffic, you can´t modify next-hops from other spokes; which means you need OSPF of network-type broadcast (which doesnt scale so big). If you dont and wont ever need spoke-to-spoke tunnels, OSPF can suit you just fine, otherwise look at EIGRP or iBGP w/ RRs.

bermovick

Dmvpn phase 3 should let you just do a default-information originate to the spokes and let NHRP handle the resolution for spoke-to-spoke traffic, shouldn't it? In that case, you could avoid having to do the broadcast network type to help with scalability issues.